Cost Control: Digital Forensics – Part 1

Cost ControlWithin the last decade, use of digital forensics has drastically increased.  The reasons for this are numerous, from mining to investigation to simple preservation as an insurance policy against future litigation.  To understand when and where to spend money on digital forensics, it is important to understand first what you are buying, then understand when it should be used.  This is a very brief treatment of those questions.

Digital forensics occurs in stages and understanding which stages need to occur in a given case is important and potentially will save you or your client from overspending.  “A digital forensic investigation commonly consists of 3 stages: acquisition…analysis, and reporting.”  Casey, Eoghan, Digital Evidence and Computer Crime, Second Edition.

Stage 1

Acquisition (collection) “involves creating an exact sector level duplicate (or “forensic duplicate”) of the media, often using a write blocking device to prevent modification of the original. Both acquired image and original media are hashed (using SHA-1 or MD5) and the values compared to verify the copy is accurate.”  Maarten Van Horenbeeck. “Technology Crime Investigation”, May 2008.  Targeted forensic collections can also occur that net specific data such as email.  Targeted collections are the most common and often the most useful scenario.

Acquisition is the most common digital forensic procedure because it leads to others by necessity.  This is also generally the least expensive stage.  Even if stages two or three are never reached, collection can provide an excellent insurance policy or negotiation tool to parties who are or could possibly become involved in litigation.

Recommendation:  If you are or expect to be involved in litigation, by all means do either a targeted or full forensic collection as circumstances warrant.  This is a fairly low cost hedge against spoliation or loss of important data that could be critical to your cause.  Targeted collections, if they are sufficient for the matter, are preferable.

Look for additional information in Digital Forensics – Part 2 and 3If you would like more information about eDiscovery or how TERIS solutions can assist you, please contact us!

Contact button